16.08.2010
23.5 The ALRC examined whether the notification requirements in the model Unified Privacy Principles (UPPs) should be set out in the ‘Collection’ principle, or dealt with in a separate privacy principle.
23.6 There is precedent for dealing with notification requirements in a separate privacy principle. Notification is treated as a separate privacy principle, for example, in the Asia-Pacific Economic Cooperation Privacy Framework (2005),[1] and the European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995).[2] In some jurisdictions, however, notification requirements are located within the privacy principle dealing with collection of personal information.[3]
Submissions and consultations
23.7 In response to the Issues Paper, Review of Privacy (IP 31),[4] a number of stakeholders submitted that notification requirements should be located in a separate privacy principle that deals with openness[5] and notification.[6] One stakeholder argued that this would facilitate ‘a more pragmatic discussion of the desirable levels of awareness, and how and when these can be created’.[7]
23.8 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that the UPPs should contain a principle called ‘Specific Notification’ that sets out the requirements on agencies and organisations to provide specific notification to an individual of particular matters relating to the collection and handling of personal information about the individual.[8]
23.9 Many supported this proposal.[9] Reasons for support included that:
it was confusing to have notification dealt with in the privacy principle dealing with the collection of personal information;[10]
locating notification requirements within the principle dealing with collection of personal information fails to give adequate recognition to the importance of notification;[11]
it would be inappropriate to deal with ‘openness’ requirements in the same privacy principle as ‘notification’ requirements because the requirements have a different emphasis.[12]
23.10 The Office of the Victorian Privacy Commissioner (OVPC), for example, stated that:
Notice statements under a ‘Specific Notification’ privacy principle are generally more tailored to the particular collection practice, as opposed to the more general statements about all types of information handling practices that organisations engage in, as required under an ‘openness’ privacy principle.[13]
23.11 Some stakeholders expressed qualified support for the proposal on the basis that the notification principle should include an exception to allow law enforcement bodies to perform their functions properly.[14]
23.12 A comparatively small number of stakeholders, however, opposed the proposal outright.[15] Reasons for opposing it included that:
there are benefits in retaining the notification requirements in the principle dealing with collection of personal information because it is at this stage of the information cycle that the obligations are triggered;[16]
it aids compliance to have the notification requirements contained with the collection principle because it reminds agencies and organisations that when they collect personal information they have to meet certain notification requirements;[17]
it is unclear, in practical terms, how the introduction of a separate principle dealing with notification reconciles with the principles relating to collection and openness;[18]
it would increase the costs and burden of compliance;[19] and
the approach is inconsistent with a ‘light-touch’ approach to privacy regulation.[20]
ALRC’s view
23.13 The requirements on agencies and organisations to notify or otherwise ensure an individual’s awareness of particular matters relating to the collection or handling of an individual’s personal information should be consolidated in a single, discrete privacy principle. Notification promotes transparency about an entity’s collection and handling of personal information. It is essential in informing individuals about the treatment of their personal information, and their rights in this regard. Dealing with notification in a separate principle, therefore, acknowledges the importance that it plays in the information cycle.
23.14 Concerns about the compliance costs and burden associated with the notification requirements are directed more appropriately to the content of any such requirements, rather than their location.[21] Similarly, stakeholders’ views about the need for an exception in the law enforcement context do not impact on the location of the requirements. They are relevant to considering the broader issue of when the obligation to notify arises.
23.15 The different conceptual nature and focus of the requirements relating to notification and openness render them unsuitable to be located within the one privacy principle. On one hand, the openness principles require individuals to be informed about the general practices of an agency or organisation relating to the handling of personal information. As such, these requirements apply regardless of whether the agency or organisation has actually collected personal information from a particular individual, or whether the agency or organisation simply might do so in the future. On the other hand, the notification principles apply when personal information has been, or will soon be, collected from a particular individual. Consequently, these principles require the agency or organisation to notify an individual about how it will handle the individual’s actual personal information or personal information of the kind collected from the individual.
23.16 It is artificial, however, to regard the operation of the notification and openness principles separately from each other. To do so could duplicate unnecessarily the requirements imposed on agencies and organisations. This is borne out more fully in the discussion below.
Recommendation 23-1 The model Unified Privacy Principles should contain a principle called ‘Notification’ that sets out the requirements on agencies and organisations to notify individuals or otherwise ensure they are aware of particular matters relating to the collection and handling of personal information about the individual.
[1] See Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), Principle II.
[2] See European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), arts 10–11.
[3] See, eg, Privacy Act 1993 (NZ) s 6, Principle 3.
[4] Australian Law Reform Commission, Review of Privacy, IP 31 (2006).
[5] In general terms, the openness principles in the IPPs and NPPs require agencies and organisations to make available a document that sets out their policies relating to the management of personal information. Openness is discussed in Ch 24.
[6] Office of the Privacy Commissioner, Submission PR 215, 28 February 2007; G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007; Australian Privacy Foundation, Submission PR 167, 2 February 2007; Office of the Information Commissioner (Northern Territory), Submission PR 103, 15 January 2007.
[7] G Greenleaf, N Waters and L Bygrave—Cyberspace Law and Policy Centre UNSW, Submission PR 183, 9 February 2007.
[8] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 20–1.
[9] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; I Graham, Submission PR 427, 9 December 2007; Carers Australia, Submission PR 423, 7 December 2007; Australian Digital Alliance, Submission PR 422, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. One stakeholder stated that it ‘did not disagree’ with the proposal: Australian Direct Marketing Association, Submission PR 543, 21 December 2007.
[10] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.
[11] Ibid.
[12] Ibid; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007. See also Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.
[13] Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.
[14] Australian Federal Police, Submission PR 545, 24 December 2007; Queensland Government, Submission PR 490, 19 December 2007.
[15] Confidential, Submission PR 570, 13 February 2008; Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Confidential, Submission PR 536, 21 December 2007; Suncorp-Metway Ltd, Submission PR 525, 21 December 2007; National Australia Bank, Submission PR 408, 7 December 2007.
[16] Confidential, Submission PR 570, 13 February 2008.
[17] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008
[18] Ibid; National Australia Bank, Submission PR 408, 7 December 2007.
[19] Suncorp-Metway Ltd, Submission PR 525, 21 December 2007. Two stakeholders that did not oppose the proposal also noted that agencies would need to be given significant additional resources to comply with the proposed notification requirements: Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Department of Human Services, Submission PR 541, 21 December 2007.
[20] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008.
[21] The content of the ‘Notification’ principle is discussed below.